diff --git a/modules/gke-cluster/README.md b/modules/gke-cluster/README.md
index 20a3f2fc30..a34b72b93b 100644
--- a/modules/gke-cluster/README.md
+++ b/modules/gke-cluster/README.md
@@ -68,13 +68,13 @@ module "cluster-1" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [location](variables.tf#L155) | Cluster zone or region. | string | ✓ | |
-| [name](variables.tf#L222) | Cluster name. | string | ✓ | |
-| [network](variables.tf#L227) | Name or self link of the VPC used for the cluster. Use the self link for Shared VPC. | string | ✓ | |
-| [project_id](variables.tf#L271) | Cluster project id. | string | ✓ | |
-| [secondary_range_pods](variables.tf#L294) | Subnet secondary range name used for pods. | string | ✓ | |
-| [secondary_range_services](variables.tf#L299) | Subnet secondary range name used for services. | string | ✓ | |
-| [subnetwork](variables.tf#L304) | VPC subnetwork name or self link. | string | ✓ | |
+| [location](variables.tf#L161) | Cluster zone or region. | string | ✓ | |
+| [name](variables.tf#L228) | Cluster name. | string | ✓ | |
+| [network](variables.tf#L233) | Name or self link of the VPC used for the cluster. Use the self link for Shared VPC. | string | ✓ | |
+| [project_id](variables.tf#L277) | Cluster project id. | string | ✓ | |
+| [secondary_range_pods](variables.tf#L300) | Subnet secondary range name used for pods. | string | ✓ | |
+| [secondary_range_services](variables.tf#L305) | Subnet secondary range name used for services. | string | ✓ | |
+| [subnetwork](variables.tf#L310) | VPC subnetwork name or self link. | string | ✓ | |
| [addons](variables.tf#L17) | Addons enabled in the cluster (true means enabled). | object({…}) | | {…} |
| [authenticator_security_group](variables.tf#L53) | RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com. | string | | null |
| [cluster_autoscaling](variables.tf#L59) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | object({…}) | | {…} |
@@ -83,28 +83,29 @@ module "cluster-1" {
| [description](variables.tf#L97) | Cluster description. | string | | null |
| [dns_config](variables.tf#L103) | Configuration for Using Cloud DNS for GKE. | object({…}) | | null |
| [enable_autopilot](variables.tf#L113) | Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node). | bool | | false |
-| [enable_dataplane_v2](variables.tf#L119) | Enable Dataplane V2 on the cluster, will disable network_policy addons config. | bool | | false |
-| [enable_intranode_visibility](variables.tf#L125) | Enable intra-node visibility to make same node pod to pod traffic visible. | bool | | null |
-| [enable_l4_ilb_subsetting](variables.tf#L131) | Enable L4ILB Subsetting. | bool | | null |
-| [enable_shielded_nodes](variables.tf#L137) | Enable Shielded Nodes features on all nodes in this cluster. | bool | | null |
-| [enable_tpu](variables.tf#L143) | Enable Cloud TPU resources in this cluster. | bool | | null |
-| [labels](variables.tf#L149) | Cluster resource labels. | map(string) | | null |
-| [logging_config](variables.tf#L160) | Logging configuration (enabled components). | list(string) | | null |
-| [logging_service](variables.tf#L166) | Logging service (disable with an empty string). | string | | "logging.googleapis.com/kubernetes" |
-| [maintenance_config](variables.tf#L172) | Maintenance window configuration. | object({…}) | | {…} |
-| [master_authorized_ranges](variables.tf#L198) | External Ip address ranges that can access the Kubernetes cluster master through HTTPS. | map(string) | | {} |
-| [min_master_version](variables.tf#L204) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null |
-| [monitoring_config](variables.tf#L210) | Monitoring configuration (enabled components). | list(string) | | null |
-| [monitoring_service](variables.tf#L216) | Monitoring service (disable with an empty string). | string | | "monitoring.googleapis.com/kubernetes" |
-| [node_locations](variables.tf#L232) | Zones in which the cluster's nodes are located. | list(string) | | [] |
-| [notification_config](variables.tf#L238) | GKE Cluster upgrade notifications via PubSub. | bool | | false |
-| [peering_config](variables.tf#L244) | Configure peering with the master VPC for private clusters. | object({…}) | | null |
-| [pod_security_policy](variables.tf#L254) | Enable the PodSecurityPolicy feature. | bool | | null |
-| [private_cluster_config](variables.tf#L260) | Enable and configure private cluster, private nodes must be true if used. | object({…}) | | null |
-| [release_channel](variables.tf#L276) | Release channel for GKE upgrades. | string | | null |
-| [resource_usage_export_config](variables.tf#L282) | Configure the ResourceUsageExportConfig feature. | object({…}) | | {…} |
-| [vertical_pod_autoscaling](variables.tf#L309) | Enable the Vertical Pod Autoscaling feature. | bool | | null |
-| [workload_identity](variables.tf#L315) | Enable the Workload Identity feature. | bool | | true |
+| [enable_binary_authorization](variables.tf#L119) | Enable Google Binary Authorization. | bool | | false |
+| [enable_dataplane_v2](variables.tf#L125) | Enable Dataplane V2 on the cluster, will disable network_policy addons config. | bool | | false |
+| [enable_intranode_visibility](variables.tf#L131) | Enable intra-node visibility to make same node pod to pod traffic visible. | bool | | null |
+| [enable_l4_ilb_subsetting](variables.tf#L137) | Enable L4ILB Subsetting. | bool | | null |
+| [enable_shielded_nodes](variables.tf#L143) | Enable Shielded Nodes features on all nodes in this cluster. | bool | | null |
+| [enable_tpu](variables.tf#L149) | Enable Cloud TPU resources in this cluster. | bool | | null |
+| [labels](variables.tf#L155) | Cluster resource labels. | map(string) | | null |
+| [logging_config](variables.tf#L166) | Logging configuration (enabled components). | list(string) | | null |
+| [logging_service](variables.tf#L172) | Logging service (disable with an empty string). | string | | "logging.googleapis.com/kubernetes" |
+| [maintenance_config](variables.tf#L178) | Maintenance window configuration. | object({…}) | | {…} |
+| [master_authorized_ranges](variables.tf#L204) | External Ip address ranges that can access the Kubernetes cluster master through HTTPS. | map(string) | | {} |
+| [min_master_version](variables.tf#L210) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null |
+| [monitoring_config](variables.tf#L216) | Monitoring configuration (enabled components). | list(string) | | null |
+| [monitoring_service](variables.tf#L222) | Monitoring service (disable with an empty string). | string | | "monitoring.googleapis.com/kubernetes" |
+| [node_locations](variables.tf#L238) | Zones in which the cluster's nodes are located. | list(string) | | [] |
+| [notification_config](variables.tf#L244) | GKE Cluster upgrade notifications via PubSub. | bool | | false |
+| [peering_config](variables.tf#L250) | Configure peering with the master VPC for private clusters. | object({…}) | | null |
+| [pod_security_policy](variables.tf#L260) | Enable the PodSecurityPolicy feature. | bool | | null |
+| [private_cluster_config](variables.tf#L266) | Enable and configure private cluster, private nodes must be true if used. | object({…}) | | null |
+| [release_channel](variables.tf#L282) | Release channel for GKE upgrades. | string | | null |
+| [resource_usage_export_config](variables.tf#L288) | Configure the ResourceUsageExportConfig feature. | object({…}) | | {…} |
+| [vertical_pod_autoscaling](variables.tf#L315) | Enable the Vertical Pod Autoscaling feature. | bool | | null |
+| [workload_identity](variables.tf#L321) | Enable the Workload Identity feature. | bool | | true |
## Outputs
diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf
index 56f7ea75a1..e0b31a3187 100644
--- a/modules/gke-cluster/main.tf
+++ b/modules/gke-cluster/main.tf
@@ -292,6 +292,13 @@ resource "google_container_cluster" "cluster" {
}
}
+ dynamic "binary_authorization" {
+ for_each = var.enable_binary_authorization ? [""] : []
+ content {
+ evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+ }
+ }
+
dynamic "dns_config" {
for_each = var.dns_config != null ? [""] : []
content {
diff --git a/modules/gke-cluster/variables.tf b/modules/gke-cluster/variables.tf
index 58be03c9d6..2c9fccbe4a 100644
--- a/modules/gke-cluster/variables.tf
+++ b/modules/gke-cluster/variables.tf
@@ -116,6 +116,12 @@ variable "enable_autopilot" {
default = false
}
+variable "enable_binary_authorization" {
+ description = "Enable Google Binary Authorization."
+ type = bool
+ default = false
+}
+
variable "enable_dataplane_v2" {
description = "Enable Dataplane V2 on the cluster, will disable network_policy addons config."
type = bool